QuickFlip Recon

Security

Last updated: April 18, 2026

Dealerships trust us with sensitive business data — vehicle inventory, pricing, CarFax reports, and customer-facing photos. This page explains the measures we take to protect that data.

Infrastructure

QuickFlip Recon is built on well-established cloud infrastructure:

  • Supabase hosts our Postgres database, authentication system, and file storage. Supabase is SOC 2 Type 2 certified and encrypts all data at rest with AES-256.
  • Vercel hosts our web application and serverless compute layer. Vercel is SOC 2 Type 2 certified.
  • Stripe processes payments. Stripe is PCI DSS Level 1 certified — the highest standard for card handling. We never see or store card data.

Encryption

  • All traffic between your browser and our servers uses TLS 1.2+ (HTTPS).
  • Database contents are encrypted at rest with AES-256 by Supabase.
  • Passwords are hashed using bcrypt with per-user salts (via Supabase Auth). We never store plaintext passwords.
  • Uploaded files (photos, CarFax PDFs) are stored in Supabase Storage buckets with access-controlled URLs. Private buckets (e.g. service reports) require a signed URL to view.

Authentication

  • Multi-factor authentication is required on every account.We enforce TOTP-based 2FA (compatible with Google Authenticator, Authy, 1Password, Microsoft Authenticator, etc.). Accounts cannot complete login without a valid 6-digit code.
  • Sessions use signed, HTTP-only, SameSite cookies. Session tokens rotate automatically.
  • Admins can reset a user's password or MFA from the Users admin panel if a user is locked out.

Access control

  • All data is partitioned by dealer group in our Postgres database. Postgres row-level security (RLS) policies enforce that no user can read or modify data outside their group, even if there is a bug in our application code. This is a defense-in-depth measure.
  • Three access levels are enforced both in the application layer and in the database:
    • Level 1 (Sales) — view inventory and add vehicles.
    • Level 2 (Recon/Pricing) — Level 1 plus edit vehicles, change prices, manage recon workflow.
    • Level 3 (Admin) — everything, plus manage users, dealerships, and subscriptions.
  • Only Level 3 admins can invite users, reset passwords/MFA, or access billing.

Operational security

  • Our infrastructure providers (Supabase, Vercel, Stripe) perform continuous backups. Supabase retains point-in-time recovery windows covering at least the last 24 hours.
  • We use vetted and industry-standard libraries. Dependency updates are reviewed and applied regularly.
  • Access to production systems is limited to authorized personnel and requires multi-factor authentication.
  • Sensitive credentials (API keys, database passwords) are stored in Vercel's encrypted environment variable store, never committed to source code.

Payment security

Card data is handled entirely by Stripe. We only receive a token representing your payment method. We never have access to full card numbers, CVCs, or PINs. If a card is lost or compromised, you update it in Stripe's hosted portal from your Billing page — we never ask for card details over email or phone.

Incident response

If we become aware of a security incident affecting your data, we will notify affected customers by email within 72 hours of confirmation, and provide updates as our investigation progresses. We'll work with you to meet any regulatory notification obligations (including, where applicable, PIPEDA's mandatory breach reporting).

Reporting vulnerabilities

If you find a security issue, please let us know at security@quickfliprecon.com. We appreciate responsible disclosure and will work with you to verify and fix the issue quickly. Please don't publicly disclose the issue until we've had a chance to respond.

What we're still working on

We're early. We're transparent about the controls that are mature and those that we're still building out:

  • SOC 2 Type 1 / Type 2 audit — planned for our second year of operation.
  • Formal penetration testing program — planned once we have 50+ paying customers.
  • Audit logs surfaced to admins — planned for 2026.

If any of these are blocking you from adopting QuickFlip Recon for your dealer group, please reach out — we're happy to discuss our security roadmap and accelerate items that matter most.

Contact

Security questions or concerns: security@quickfliprecon.com

Draft notice: This document is an initial draft generated for launch. Before onboarding your first paid customer, review with a Canadian tech/SaaS lawyer and replace placeholder references to the legal entity with your actual registered entity name.